UL 5500:2018-09 Remote Software Updates.
UL 5500 covers REMOTE software updates taking into account the manufacturer’s recommended process. It is limited to software elements having an influence on safety and on compliance with the particular end product safety standard.
This standard additionally covers hardware compatibility necessary for safety of the REMOTE software update.
NOTE 1 This standard does not cover:
— Functional SECURIIV such as premises, physical, and other similar SECURITY purposes;
— Safety related availability or connectivity of REMOTE communications:
— Field updates done with physical access by qualified personnel;
— Software development lifecycle and maturity;
— Cryptographic techniques for the purposes of user data confidentiality and consumer privacy;
— Insider threat (corporate espionage); and
— REMOTE control operation of the product.
NOTE 2 This standard is intended to be used in conjunction with the appropriate end product safety standard.
2 Normative references
For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies:
FIPS 140-2, (Annexes A, B and C) Security Requirements for Cryptographic Modules IEEE 802.3, Standard for Ethernet
IEEE 802.11, Information Technology — Telecommunications and Information Exchange Between
Systems — Local and Metropolitan Area Networks — Specific Requirements Part 11: Wireless LAN Medium
Access Control (MAC) and Physical Layer (PHY) Specifications
IEEE 802.15.4, Standard for Low-Rate Wireless Networks
ISO/IEC 9796, Information Technology — Security Technologies — Digital Signature Scheme Giving
Message Recovery
ISO/lEG 9797-1, In formation Technology — Security Technologies — Message Authentication Codes
(MA Cs)
ISO/IEC 9798 (all parts), Information Technology — Security Technologies — Entity Authentication ISO/lEG 10118-1, Information Technology — Security Technologies — Hash-Functions — Part 1: General
3 Terms and definitions
For the purposes of this standard, the following definitions apply.
the process of verifying the identity of an ENTITY.
the process of permitting an authenticated ENTITY to access or manipulate the product or the product property to the extent the ENTITY has such permission.
Note to entry: In this context, manipulation means the downloading, installation and verification of software.
a person, device, product or service which interacts with another via a network.
an occurrence that actually or potentially results in adverse safety consequences in the end device application.
Note to entry: INCIDENT is modified from: https://niccs.us-cert.gov/glossary#l
a term defined by the end product standard.
Note to entry: In the end product application, the term potentially addresses, but is not limited to the following conditions.UL 5500 pdf download.